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DETAILED ACTION 
Drawings 

1. Figure 1 should be designated by a legend such as —Prior Art— because only that which is 
old is illustrated. See MPEP § 608.02(g). Corrected drawing sheets are required in reply to the 
Office action to avoid abandonment of the application. The replacement sheet(s) should be 
labeled "Replacement Sheet" in the page header (as per 37 CFR 1.84(c)) so as not to obstruct any 
portion of the drawing figures. If the changes are not accepted by the examiner, the applicant 
will be notified and informed of any required corrective action in the next Office action. The 
objection to the drawings will not be held in abeyance. 

2. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(5) because they 
include the following reference character(s) not mentioned in the description: ref 158, 162, and 
170 (see page 16, lines 1-14 and Fig. 4). Corrected drawing sheets, or amendment to the 
specification to add the reference character(s) in the description, are required in reply to the 
Office action to avoid abandonment of the application. Any amended replacement drawing sheet 
should include all of the figures appearing on the immediate prior version of the sheet, even if 
only one figure is being amended. The replacement sheet(s) should be labeled "Replacement 
Sheet" in the page header (as per 37 CFR 1.84(c)) so as not to obstruct any portion of the 
drawing figures. If the changes are not accepted by the examiner, the applicant will be notified 
and informed of any required corrective action in the next Office action. The objection to the 
drawings will not be held in abeyance. 
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Specification 

3. The disclosure is objected to because of the following informalities: on page 3 , line 4 
"connection" should be "Connection"; on page 12, line 6 "processing and" should be "processing 
an"; on page 13, line 18 "or" should be "for"; and on page 15, line 10 "Al on for" should be "Al 
for". 

Appropriate correction is required. 

4. Examiner requests that Applicant update the application information found on page 1, 
lines 6-17; page 4, lines 1 1-14; page 8, lines 14-15; page 9, lines 6-11; and page 13, lines 15-17. 

Claim Rejections - 35 USC §112 

5. The following is a quotation of the second paragraph of 35 U.S. C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

6. Claim 2 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing 
to particularly point out and distinctly claim the subject matter which applicant regards as the 
invention. 

7. Claim 2 specifies that the first node is both a remote client and an enterprise gateway. 
The specification discloses that the second node is a remote client (page 11, lines 1-15). 
Therefore, for the purposes of prior art rejections, Examiner will interpret "said first node a 
remote client" as "said second node a remote client". 

Claim Rejections - 35 USC §102 

8. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 
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(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or 
on sale in this country, more than one year prior to the date of application for patent in the United States. 

9. Claims 1, 3-6, and 10 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Srisuresh (P. Srisuresh. "RFC 2709 - Security Model with Tunnel-mode IPsec for NAT 
Domains". Network Working Group, RFC 2709. October 1999. pages 1-9). 

10. Regarding claims 1 and 10, Sresuresh discloses a method and system for operating a first 
node in a network including at least one second node, the method comprising the steps of and the 
system comprising means for: establishing at said first node a coincident endpoint (tunnel end 
point) for an outer connection (IPsec connection, output encapsulation of tunnel packet) and an 
inner connection (private connection, inner encapsulation of tunnel packet) with respect to at 
least one second node (page 2, section 2.2); responsive to receiving a nested (embedded or 
tunneled) packet (IPsec packet) from said second node on said outer connection, decapsulating 
said packet into a first packet (private packet) and then performing source-in network address 
translation on said first packet (page 4, Figure 4) where NAT translates the source addresses of 
the private network device (source address of private network is not globally unique such that it 
must be translated) (page 3, section 3) such that, as broadly defined, the NAT is source-in NAT; 
and responsive to receiving a second packet (private packet) at said inner connection, performing 
source-in network address translation on said second packet, and then encapsulating said second 
packet into a nested packet (IPsec packet) for communication on said outer connection to said 
second node (page 4, Figure 3) where NAT translates the source addresses of the private network 
device (source address of private network is not globally unique such that it must be translated) 
(page 3, section 3) such that, as broadly defined, the NAT is source-in NAT. 
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1 1 . Regarding claim 3, Sresuresh discloses, in a particular embodiment where an IKE process 
is used, a method for managing connections within a communications system, comprising the 
steps of: configuring an outer connection (connection over public network between peering node 
and gateway) (pages 1-2, section 1 and pages 2-3, section 2.2); communicating from a client 
(peering node) to a gateway on said outer connection a request to configure a secure inner 
connection (IKE communications) (pages 5-6, section 4 and Fig. 5); responsive to said request, 
initializing said gateway to receive a future nested communication, including obtaining a client 
address from a packet on said outer connection (pages 5-6, section 4fand Fig. 5); starting said 
inner connection (tunneled connection between private network and public node) (pages 3-4, 
section 3); responsive to starting said inner connection, propagating a network address 
translation rule from said outer connection to said inner connection (pages 3-5, sections 3 and 4 
and Figs. 3 and 4) where the inner connection and outer connection will need to know the NAT 
translations in order to ensure that an inbound packet is correctly translated between the outer 
connection and the inner connection and an outbound packet is correctly translated between the 
inner connection and the outer connection. 

12. Regarding claim 4, Sresuresh discloses further responsive to starting said inner 
connection, encapsulating a packet outbound from said gateway first in said inner connection and 
then in said outer connection (pages 3-4, section 3). 

13. Regarding claim 5, Sresuresh discloses responsive to receiving a packet at said gateway, 
determining if said packet has a security header (pages 3-4, section 3 and Fig. 4); responsive to 
said packet having said security header, decapsulating said packet (pages 3-4, section 3 and Fig. 
4) and saving any address translation rule included within said packet (pages 4-5, section 4, lines 
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24-59); and applying said address translation rule to said packet and thereafter communicating 
said packet from said gateway to said client (pages 3-4, section 3 and Fig. 4). 

14. Regarding claim 6, Sresuresh discloses iteratively executing said decapsulating step until 
a resulting decapsulated packet no longer contains a security header (pages 3-4, section 3 and 
Fig. 4) where, as broadly defined, the decapsulation is performed until there are no more security 
headers. 

Claim Rejections - 35 USC §103 

15. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

16. Claims 2, 7-9, 1 1-14, and 16-22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Srisuresh (P. Srisuresh. "RFC 2709 - Security Model with Tunnel-mode IPsec 
for NAT Domains". Network Working Group, RFC 2709. October 1999. pages 1-9). 

17. Regarding claim 2, Sresuresh discloses as a possible application having the first node 
comprise an enterprise gateway and the second node a remote client (pages 6-7, section 5.2). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to have the first node comprise an enterprise gateway and the second node a remote 
client since this is a possible application. 

18. Regarding claim 7, Sresuresh discloses a method for enabling a local gateway to handle 
IP addresses from remote clients, comprising the steps of: assigning said IP address to a remote 
client (pages 3-5, sections 3 and 4); automatically maintaining between said remote client and 
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said gateway nested connections with local coincident endpoints (pages 3-5, sections 3 and 4). 
Sresuresh also discloses as a possible application that the BP addresses can be dynamically 
assigned IP addresses (temporary service provider assigned address) (pages 6 and 7, section 5.2). 
Thus, it would have been obvious to one of ordinary skill in the art at the time of the invention to 
have the IP addresses be dynamically assigned IP addresses since this is part of a possible 
application. 

19. Regarding claim 8, Sresuresh discloses that said nested connections comprise an inner 
connection and an outer connection (pages 3-5, sections 3 and 4). 

20. Regarding claim 9, Sresuresh discloses responsive to receiving a nested packet from said 
client on said outer connection, decapsulating said packet into a first packet and then performing 
source-in network address translation on said first packet (pages 3-4, section 3 and Fig. 4) where 
NAT translates the source addresses of the private network device (source address of private 
network is not globally unique such that it must be translated) (page 3, section 3) such that, as 
broadly defined, the NAT is source-in NAT; and responsive to receiving a second packet at said 
inner connection, performing source-in network address translation on said second packet, and 
then encapsulating said second packet into a nested packet for communication on said outer 
connection to client (pages 3-4, section 3 and Fig. 3) where NAT translates the source addresses 
of the private network device (source address of private network is not globally unique such that 
it must be translated) (page 3, section 3) such that, as broadly defined, the NAT is source-in 
NAT. 

21. Regarding claims 1 1 and 16, Sresuresh discloses performing NAT in tunneled 
connections (page 3-5, sections 3 and 4). Sresuresh also discloses that one application of the 
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NAT in tunneled connections is in VPNs (pages 6-7, section 5.2), such that it would have been 
obvious to one of ordinary skill in the art at the time of the invention to apply the NAT in 
tunneled connections to a VPN. Thus, Sresuresh discloses a method and system for extending 
virtual private network (VPN) network address translation (NAT) to include support for nested 
connections with coincident endpoints (tunnel end points), without requiring any special 
configuration for the inner (nested) VPN connection, with respect to VPN NAT (pages 3-7, 
sections 2.2, 3, 4, and 5.2), the method comprising the steps of and the system comprising means 
for: configuring an outer connection with a VPN NAT rule (connection over public network 
between peering node and gateway) (pages 1-2, section 1 and pages 2-3, section 2.2); 
communicating from a client (peering node) to a gateway on said outer connection a dynamically 
generated security association request packet to configure a secure inner connection (EKE 
communications) (pages 5-6, section 4 and Fig. 5); responsive to said request, initializing said 
gateway to receive a future nested communication, including obtaining a client address from said 
request packet on said outer connection (pages 5-6, section 4 and Fig. 5); starting said inner 
connection (tunneled connection between private network and public node) (pages 3-4, section 
3); responsive to starting said inner connection, propagating said VPN NAT rule from said outer 
connection to said inner connection (pages 3-5, sections 3 and 4 and Figs. 3 and 4) where the 
inner connection and outer connection will need to know the NAT translations in order to ensure 
that an inbound packet is correctly translated between the outer connection and the inner 
connection and an outbound packet is correctly translated between the inner connection and the 
outer connection. 
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22. Regarding claim 12, Sresuresh discloses further responsive to starting said inner 
connection, encapsulating a packet outbound from said gateway first in said inner connection and 
then in said outer connection (pages 3-4, section 3). 

23. Regarding claim 13, Sresuresh discloses responsive to receiving a packet at said gateway, 
determining if said packet has a security header (pages 3-4, section 3 and Fig. 4); responsive to 
said packet having said security header, decapsulating said packet (pages 3-4, section 3 and Fig. 
4) and saving any VPN NAT rule included within said packet (pages 4-5, section 4, lines 24-59); 
and applying said NAT rule to said packet and thereafter communicating said packet from said 
gateway to said client (pages 3-4, section 3 and Fig. 4). 

24. Regarding claim 14, Sresuresh discloses iteratively executing said decapsulating step 
until a resulting decapsulated packet no longer contains a security header (pages 3-4, section 3 
and Fig. 4) where, as broadly defined, the decapsulation is performed until there are no more 
security headers. 

25. Regarding claims 17 and 18, incorporating the rejection of claims 1 and 10, Sresuresh 
discloses all of the limitations of claims 17 and 18, as outlined in the rejection of claims 1 and 
10, except having a program storage device readable by a machine, tangibly embodying a 
program of instructions executable by a machine to perform the method where the program 
operates a first node. Examiner takes official notice that it is well known in the art to use 
software to implement a method since software is very flexible. Therefore, it would have been 
obvious to one of ordinary skill in the art at the time of the invention to have a program storage 
device readable by a machine, tangibly embodying a program of instructions executable by a 
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machine to perform the method where the program operates a first node since software is very 
flexible. 

26. Regarding claims 19-22, incorporating the rejection of claims 3-6, Sresuresh discloses all 
of the limitations of claims 19-22, as outlined in the rejection of claims 3-6, except having 

a program storage device readable by a machine, tangibly embodying a program of instructions 
executable by a machine to perform the method. Examiner takes official notice that it is well 
known in the art to use software to implement a method since software is very flexible. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to have a program storage device readable by a machine, tangibly embodying a 
program of instructions executable by a machine to perform the method since software is very 
flexible. 

27. Claim 15 is rejected under 35 U.S.C. 103(a) as being unpatentable over Srisuresh (P. 
Srisuresh. "RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains". Network 
Working Group, RFC 2709. October 1999. pages 1-9) as applied to claim 13 above, and further 
in view of Hluchyj et al. (USPN 6,282,193). 

28. Regarding claim 15, Sresuresh does not expressly disclose supporting L2TP within said 
internal connection. Hluchyj teaches, in a communication system, that L2TP is a secure protocol 
for implementing tunneling (col. 6, lines 35-37). Therefore, it would have been obvious to one of 
ordinary skill in the art at the time of the invention to support L2TP within said internal 
connection since L2TP is a secure protocol for implementing tunneling. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Daniel J. Ryman whose telephone number is (571)272-3152. The 
examiner can normally be reached on Mon.-Fri. 7:00-4:30 with every other Friday off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Huy Vu can be reached on (571)272-3155. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Daniel J. Ryman 
Examiner 
Art Unit 2665 
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